Information Governance and Security Policy documents
All members of the University must act in accordance with the following laws and University policies.
All members of the university must act in accordance with the following laws and University policies. Please note that further policy documents will be added as these are drafted.
On this page
- Information Security Policy documents
- Information Governance policies
- Implementation details
- Further guidance
Information Security Policy documents
ISP-01 Information security policy
This policy outlines the scope, structure, principles and means of governance for this and the entire Information Security Policy suite. It broadly defines the responsibilities for all University Members and others who have been granted access to process University data, with the goal of ensuring data remains secure and compliant with both University policy and relevant legislation.
ISP-03 Compliance policy
This policy sets out the requirement for all staff, students, and authorised users to follow legal and regulatory obligations when handling university data and using its IT systems. It outlines responsibilities related to compliance with UK laws, internal security policies, records management, payment card security, software licensing, and network usage to support the protection of sensitive information and maintain the university's legal and ethical standards.
ISP-04 Outsourcing and third party compliance policy
This policy seeks to ensure that when the University works with external parties, the security of its data and systems is maintained. It outlines the need for careful risk assessments, contracts, and due diligence to protect information. The policy also addresses data protection laws, ensuring any third party access complies with legal standards. This helps minimise risks and ensures that any outsourced services meet the University's security expectations.
ISP-05 Human resources
This policy outlines the procedures to ensure that staff, contractors and third parties are equipped to protect the University's information assets. It covers recruitment, training, IT access, and employee conduct. The policy seeks to ensure that individuals follow clear protocols, with mandatory security training, access restrictions, and accountability for any misconduct.
ISP-07 Information handling policy
This policy outlines the University's requirements for handling its information assets, ensuring compliance with legislation and protecting against data breaches or loss. It sets rules for how information should be classified, accessed, stored, and disposed of, ensuring secure handling and compliance with legal obligations. The policy impacts all University members and others granted access to its information, promoting accountability and data security.
ISP-08 User management policy
This policy outlines the requirements for managing user accounts and appropriate access to the University’s information systems. It covers account life-cycling, while requiring security measures such as Multi-Factor Authentication (MFA) and separation of standard and privileged user accounts.
ISP-09 Acceptable use policy
This policy sets out the expected behaviours and responsibilities for using the University’s information systems, networks, and computers. It ensures that those who have been provisioned access to these resources use these resources responsibly, protecting against misuse, security risks, and legal violations. The policy promotes the secure use of digital services while outlining the consequences of unacceptable activities, helping maintain a safe, secure and efficient working environment.
ISP-11 System management policy
This policy outlines the responsibilities of those who manage the University’s computer systems, ensuring their security, integrity, and availability. It requires system administrators and technical service managers to apply security patches, monitor systems, and manage access controls. The policy impacts how systems are managed, ensuring that sensitive information is protected and that systems are secure and regularly tested for vulnerabilities.
ISP-12 Network management policy
This policy seeks to ensure the secure and efficient management of the University’s communication networks. It outlines responsibilities for network design, access control, and security, requiring staff and third parties to follow strict procedures to protect the network’s integrity. The policy aims to prevent unauthorised access, secure network resources, and minimise risks from external threats, supporting the University’s overall information security efforts.
ISP-13 Software management policy
This policy sets out the University’s approach to ensuring the security and management of software. It covers procurement, installation, regulation, maintenance, and removal of software to protect University data and assets. The policy seeks to ensure compliance with legal and contractual obligations, and licensing agreements, including requirements to address security vulnerabilities and prevent the use of unlicensed or malicious software.
ISP-14 Mobile and remote working policy
This policy outlines the security requirements for using mobile and remote devices to access University data. It applies to all University members and any other parties that have been granted access to University systems, and covers personally owned, University-owned, and third party devices. The policy aims to protect sensitive University data via security measures such as device encryption, secure passwords, and safe working environments, ensuring compliance with data protection laws and minimizing security risks when working remotely or using mobile devices.
ISP-16 Encryption policy
This policy outlines the University's approach to protecting data through encryption, ensuring that information classified as Confidential or above, is safeguarded during storage and transfer. It applies to all systems and individuals handling such data, mandating the use of industry-standard encryption methods. The policy highlights the importance of secure key management and compliance with legal requirements, including the potential decryption of data when travelling abroad.
ISP-18 Investigation of computer use policy
This policy outlines the circumstances under which the University may monitor and access the IT accounts, communications, and data of its members. It ensures that monitoring is done lawfully and with appropriate authorisation to maintain data security, comply with regulations, and investigate misuse. This policy balances privacy with the need to protect University assets and ensure compliance with legal and regulatory obligations.
ISP-19 PCI-DSS Cardholder data policy
This policy seeks to ensure that the University of Bristol complies with global security standards to protect credit and debit card information. It outlines the requirement to avoid storing cardholder data on local hard drives, shared storage, cloud storage solutions, or any removable media under any circumstances and rules for handling and transmitting card data to prevent fraud and breaches of cardholder data. Violations of this policy can result in financial penalties and loss of card payment capabilities, significantly impacting the University's operations, as well as leading to disciplinary actions for individuals. Compliance is mandatory for all members of the University and third party service providers involved in card transactions.
Information Governance Policies
- IGP-01 Information Governance Policy - This Policy establishes the key high-level principles of Information Governance at the University of Bristol and sets out responsibilities and reporting lines for members of staff. It provides an over-arching framework for Information Governance across the University.
Implementation details
- Guide to legislation relevant to Information Security Policy (PDF, 206kB) (PDF)
- Guidelines for system and network administrators (PDF, 44kB) (PDF)
Further guidance
- Data Protection - the Act gives individuals rights over their personal data and protects them from the erroneous use of their personal data. The Act also requires anyone who handles personal data to comply with a number of important principles and legal obligations.
- Copyright - this website sets out the details of licences that allow staff to copy material for educational purposes and gives advice on aspects of copyright not covered under the various licensing schemes.
- Freedom of Information - the Freedom of Information Act was introduced in 2005 to promote transparency in public bodies and introduced a public "right to know".
Any use of the Internet from (or via) the University network is also subject to the following policies: